Security Basics mailing list archives
RE: tools used to examine a computer
From: "Trevor Cushen" <Trevor.Cushen () sysnet ie>
Date: Thu, 20 Feb 2003 09:14:38 -0000
My final word on this is that I was talking about cloning the disk or partition and not using dd for single files if that helps clear any confusion about what I was saying. At the end of the day if it was a serious issue that might go to full legal investigation I would call in professional law enforcement agencies who have the write tools and software for the job. So when running an Incident Handling operation the main thing to know is when to touch the machine at all to do anything and when to declare it serious enough for legal action to be taken. Trevor Cushen Sysnet Ltd www.sysnet.ie Tel: +353 1 2983000 Fax: +353 1 2960499 -----Original Message----- From: H C [mailto:keydet89 () yahoo com] Sent: 19 February 2003 19:15 To: David J. Bianco Cc: Trevor Cushen; security-basics () securityfocus com Subject: RE: tools used to examine a computer David, I did say "hashes the file (MD5 and/or SHA-1)"...so do it both before and after you copy it over the network. Just be sure to collect the MAC times *before* you hash it, as hashing causes the file to be accessed, and the last access time changes. --- "David J. Bianco" <bianco () jlab org> wrote:
On Tue, 2003-02-18 at 13:02, H C wrote:Also on the point of copying files over thenetworkfirst, correct me if I'm wrong but that damages the chain ofevidence.Now so? If one collects the necessary info (ie,MACtimes, NTFS ADSs, permissions, full path, etc),hashesthe file (MD5 and/or SHA-1), and then copies thefileover the network using something like 'dd' ortype,and netcat/cryptcat, how is the chain of evidence broken? Especially if it's documented?Although Trevor has since posted a clarification to the effect that was referring to file copying as opposed to creating a bit image with dd, I think it's worth noting that in order to guard against accidental or malicious network data tampering, you'd have to guarantee that the data traversed the network without being tampered with, probably by computing an md5 sum on the data at both ends of the transfer. Otherwise the chain of evidence would indeed be broken, since most networks are not guaranteed to be reliable or secure from tampering. David -- David J. Bianco <bianco () jlab org> Thomas Jefferson National Accelerator Facility
__________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com ************************************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this message in error please notify SYSNET Ltd., at telephone no: +353-1-2983000 or postmaster () sysnet ie **************************************************************************************
Current thread:
- RE: tools used to examine a computer, (continued)
- RE: tools used to examine a computer Trevor Cushen (Feb 18)
- RE: tools used to examine a computer H C (Feb 19)
- RE: tools used to examine a computer Trevor Cushen (Feb 18)
- RE: tools used to examine a computer Trevor Cushen (Feb 19)
- Checkpoint NG - SMTP Guard Features McKenzie Family (Feb 20)
- Re: Checkpoint NG - SMTP Guard Features Steve Suehring (Feb 20)
- Message not available
- Re: Checkpoint NG - SMTP Guard Features Mel (Feb 20)
- Checkpoint NG - SMTP Guard Features McKenzie Family (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 18)
- RE: tools used to examine a computer Trevor Cushen (Feb 20)
- RE: tools used to examine a computer H C (Feb 20)
- RE: tools used to examine a computer Robinson, Sonja (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 20)
- RE: tools used to examine a computer H C (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 20)
- RE: tools used to examine a computer H C (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 22)
- RE: tools used to examine a computer Robinson, Sonja (Feb 22)
- RE: tools used to examine a computer Trevor Cushen (Feb 24)
- RE: tools used to examine a computer H C (Feb 25)
- RE: tools used to examine a computer Tim V - DZ (Feb 25)
- RE: tools used to examine a computer Trevor Cushen (Feb 25)
- ntpasswd compatibility w/RAID systems David Moisan (Feb 26)